25d9783514
* Add authorization section to the docs Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com> * Slow down Bootstrap gif Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com> * Use heading 4 instead of italic Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com> * Replace gif with carousel Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>
2.2 KiB
Server configuration
Securing PostgreSQL connections
By default, Mainflux will connect to Postgres using insecure transport. If a secured connection is required, you can select the SSL mode and set paths to any extra certificates and keys needed.
MF_USERS_DB_SSL_MODE the SSL connection mode for Users.
MF_USERS_DB_SSL_CERT the path to the certificate file for Users.
MF_USERS_DB_SSL_KEY the path to the key file for Users.
MF_USERS_DB_SSL_ROOT_CERT the path to the root certificate file for Users.
MF_THINGS_DB_SSL_MODE the SSL connection mode for Things.
MF_THINGS_DB_SSL_CERT the path to the certificate file for Things.
MF_THINGS_DB_SSL_KEY the path to the key file for Things.
MF_THINGS_DB_SSL_ROOT_CERT the path to the root certificate file for Things.
Supported database connection modes are: disabled (default), required, verify-ca and verify-full.
Securing gRPC
By default gRPC communication is not secure as Mainflux system is most often run in a private network behind the reverse proxy.
However, TLS can be activated and configured.
Server configuration
Users
If either the cert or key is not set, the server will use insecure transport.
MF_USERS_SERVER_CERT the path to server certificate in pem format.
MF_USERS_SERVER_KEY the path to the server key in pem format.
Things
If either the cert or key is not set, the server will use insecure transport.
MF_THINGS_SERVER_CERT the path to server certificate in pem format.
MF_THINGS_SERVER_KEY the path to the server key in pem format.
Client configuration
If you wish to secure the gRPC connection to things and users services you must define the CAs that you trust. This does not support mutual certificate authentication.
Adapter configuration
MF_HTTP_ADAPTER_CA_CERTS, MF_MQTT_ADAPTER_CA_CERTS, MF_WS_ADAPTER_CA_CERTS, MF_COAP_ADAPTER_CA_CERTS - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the adapter will fail to start up.
Things
MF_THINGS_CA_CERTS - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the service will fail to start up.